What Is NTLM Used For?Windows New Technology LAN Manager (NTLM) is a suite of security protocols offered by Microsoft to authenticate users’ identity and protect the integrity and confidentiality of their activity. At its core, NTLM is a single sign on (SSO) tool that relies on a challenge-response protocol to confirm the user without requiring them to submit a password. Show
Despite known vulnerabilities, NTLM remains widely deployed even on new systems in order to maintain compatibility with legacy clients and servers. While NTLM is still supported by Microsoft, it has been replaced by Kerberos as the default authentication protocol in Windows 2000 and subsequent Active Directory (AD) domains. How Does the NTLM Protocol Work?NTLM authenticates users through a challenge-response mechanism. This process consists of three messages:
NTLM Authentication ProcessNTLM authentication typically follows the following step-by-step process:
The Difference Between NTLM and Kerberos?Like NTLM, Kerberos is an authentication protocol. It replaced NTLM as the default/standard authentication tool on Windows 2000 and later releases. The main difference between NTLM and Kerberos is in how the two protocols manage authentication. NTLM relies on a three-way handshake between the client and server to authenticate a user. Kerberos uses a two-part process that leverages a ticket granting service or key distribution center. Another main difference is whether passwords are hashed or encrypted. NTLM relies on password hashing, which is a one-way function that produces a string of text based on an input file; Kerberos leverages encryption, which is a two-way function that scrambles and unlocks information using an encryption key and decryption key respectively. Even though the Kerberos protocol is Microsoft’s default authentication method today, NTLM serves as a backup. If Kerberos fails to authenticate the user, the system will attempt to use NTLM instead. Why Was NTLM Replaced by Kerberos?NTLM was subject to several known security vulnerabilities related to password hashing and salting. In NTLM, passwords stored on the server and domain controller are not “salted” — meaning that a random string of characters is not added to the hashed password to further protect it from cracking techniques. This means that adversaries who possess a password hash do not need the underlying password to authenticate a session. As a result, systems were vulnerable to brute force attacks, which is when an attacker attempts to crack a password through multiple log-in attempts. If the user selects a weak or common password, they are especially susceptible to such tactics. NTLM’s cryptography also fails to take advantage of new advances in algorithms and encryption that significantly enhance security capabilities. Kerberos ProtocolKerberos was developed by researchers at the Massachusetts Institute of Technology (MIT) in the 1980s. The name is derived from the Greek mythological character Kerberos, the three-headed dog who guards the underworld. In practice, the three security components in the Kerberos protocol are represented as:
Kerberos AuthenticationHere is the twelve-step process for Kerberos authentication:
Applications That Use NTLMNTLM was replaced as the default authentication protocol in Windows 2000 by Kerberos. However, NTLM is still maintained in all Windows systems for compatibility purposes between older clients and servers. For example, computers still running Windows 95, Windows 98, or Windows NT 4.0 will use the NTLM protocol for network authentication with a Windows 2000 domain. Meanwhile, computers running Windows 2000 will use NTLM when authenticating servers with Windows NT 4.0 or earlier, as well as when accessing resources in Windows 2000 or earlier domains. NTLM is also used to authenticate local logons with non-domain controllers. NTLM Benefits and ChallengesNTLM is considered an outdated protocol. As such, its benefits — when compared to a more modern solution, such as Kerberos — are limited. Yet the original promise of NTLM remains true: Clients use password hashing to avoid sending unprotected passwords over the network. At this point there are several clear disadvantages to relying on NTLM authentication:
How Can You Protect Your Network Using NTLM?Given the known security risks associated with NTLM, CrowdStrike recommends that organizations try to reduce NTLM usage in their network as much as possible. For organizations still relying on NTLM for compatibility reasons, CrowdStrike offers the following recommendations to enhance security and minimize risk.
Get rid of clients sending LM responses and set the Group Policy Object (GPO) network security: LAN Manager authentication level to refuse LM responses. What are the 3 types of computer authentication?The three authentication factors are: Knowledge Factor – something you know, e.g., password. Possession Factor – something you have, e.g., mobile phone. Inherence Factor – something you are, e.g., fingerprint.
What are supported authentication options?5 Common Authentication Types. Password-based authentication. Passwords are the most common methods of authentication. ... . Multi-factor authentication. ... . Certificate-based authentication. ... . Biometric authentication. ... . Token-based authentication.. What are some options available in Windows 10 as a method of authenticating when connecting via the Windows 10 built in VPN client?The following credential types can be used:. Smart card.. Certificate.. Windows Hello for Business.. User name and password.. One-time password.. Custom credential type.. Which of the following authentication methods does Windows Hello support?Windows Hello is a more personal, more secure way to get instant access to your Windows 10 devices using a PIN, facial recognition, or fingerprint.
|